VDB

CVE-2026-10706

CVE-2026-10706 PUBLISHED CVSS 7.5 HIGH

Reported by certcc · Published July 8, 2026

In Adalo’s no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

VendorProductVersions
Adalo No-Code App BuilderApp Builder1
Adalo No-Code App BuilderApp Builder1, 1

Timeline

  • Jul 8, 2026 CVE Published
  • Jul 9, 2026 EPSS Score
  • Jul 9, 2026 Coalition ESS Score
  • Jul 9, 2026 Security Advisory
  • Jul 9, 2026 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›